In December, 2015 the Copyright Office initiated a policy study focused on Section 1201 of the Digital Millennium Copyright Act (DMCA), which prohibits the circumvention of technological protection measures (TPMs). CDT commented in the initial phase of this study, and recently commented again in response to the Office’s request for additional comments, which addresses proposals to update the statute. The Copyright Office is right to take a hard look at Section 1201, which very much needs updating to protect security researchers
How do Section 1201, TPMs, and security research relate to each other? First, let me share some background and definitions. TPMs are like digital locks that prevent access to copyrighted works so that copying them is more difficult; for example, TPMs are what lock your phone to prevent carrier switching, and what lock your car so that only a dealership can run diagnostics. However, Section 1201 makes it illegal to bypass these locks whether or not you infringe copyright. Because of this, the use of TPMs has spread from digital copies of music and movies to nearly everything containing a digital copy of a protected work. Unfortunately, in many cases TPMs are added not out of concern for copyright protection, but instead to promote other business interests like excluding competitors.
When crafting 1201, lawmakers anticipated that the broad prohibition on bypassing TPMs could lead to scenarios where users might be prevented from making non-infringing uses of their copies of protected works. Their solution was to create narrow exemptions for a few reasons for circumventing TPMs and a process to make temporary exemptions for other non-infringing uses. Unfortunately, the language of the statute’s built-in exemptions, which are aimed at enabling research, testing, and reverse engineering, makes it difficult for researchers to know whether they would qualify for the exemption. This uncertainty comes with a risk of liability under the statute and the possibility of costly legal battles, leading researchers to ask for temporary exemptions instead of risking reliance on a permanent exemption.
This burdensome process takes time and money from researchers who would otherwise invest those resources in helping to keep software safe from attack.
The temporary exemptions provide more certainty than do the statutory exemptions, but the added certainty comes at a high cost. Every three years, exemption proponents must describe the “class” of copyrighted works they wish to make use of and prove that TPMs prevent them from making non-infringing uses of works within this class. Although the statute does not dictate this, the Copyright Office has relied on one snippet of legislative history to require proponents to prove this anew every three years, even if the same exemption had been granted in the previous term. This burdensome process takes time and money from researchers who would otherwise invest those resources in helping to keep software safe from attack. And this time, the exemption for security research was delayed for a year, leaving security researchers with only two-thirds of a normal exemption period.
CDT is pleased that the Copyright Office is taking a hard look at Section 1201 and hopes to see positive changes result from this policy study. However, we were disappointed to see that the study has become focused solely on legislative changes and that the Office’s proposals only address the permanent statutory exemptions, but not the temporary exemption rulemaking process. CDT is concerned that the proposed amendments would not provide lasting improvements and therefore would not significantly ease the strain on the triennial rulemaking process. Further, opening up Section 1201 to legislative changes risks an unnecessary invitation to amend other parts of the DMCA, potentially disrupting the statute’s intermediary liability protections.
In our comments, CDT suggests that making the temporary exemption process less burdensome, which could be done without legislation, would provide a more positive and lasting impact on 1201 than amending the permanent exemptions. Specifically, reevaluating the legislative history around which the Office has formed the way it conducts the proceeding could make it much easier to renew a previously granted exemption. This one change could conserve the resources of exemption proponents and the Copyright Office by reducing the evidentiary and administrative burdens and could add certainty in the form of temporal stability to the temporary exemptions themselves. A shift toward presumptive renewals would improve the value of temporary exemptions by increasing the likelihood of their continued duration, but retain a flexibility that would be difficult to achieve by amending the permanent exemptions.
As the use of copyrighted software expands, more exemptions will be needed to enable access to and non-infringing uses of works protected by TPMs.
CDT also encourages the Office to issue guidance as to its interpretation of the ambiguous elements within the existing permanent exemptions. Following the guidance of the expert agency for copyright would help researchers determine with greater certainty whether their research activities would be covered by one of these exemptions, potentially eliminating the need to apply for a temporary exemption.
As the use of copyrighted software expands, more exemptions will be needed to enable access to and non-infringing uses of works protected by TPMs and the need for those exemptions will last more than three years. Modifications to the temporary exemption process is the best way to enable those uses. We hope the Office will consider pursuing these suggestions through the administrative actions within its power.